Behind every attack & security problem is – bad software

A major concern is that security professionals are often un-aware the problem is – bad software

Encrypt your data lines?

The riskiest category of software today is Internet-enabled apps

“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.”

The Most Effective Technique Is Simple

To protect yourself you must

Begin early to think about security,

Know your threats,

Design for security

Test your design thoroughly

Security is not an add-on, but a fundamental property of software

Never completely secure

You must recognize security is one concern among many

Cost

Reusability

Usability

Robustness

Software is not only bad, but attractive

Hackers/crackers want to make your software misbehave

Are they malicious or altruistic?

Full disclosure

Script kiddie

Cracker

Why is software insecure?

Systems are complex, hard to analyze, & hard to secure

Extensible

Ubiquitous

Interdependent [apps, networking, & OS]

Avoid Attack then Patch Approach to Security

Patches are only for Known problems

Patches often create new problems

Patches often go unapplied

Patches fix symptoms

It is cheaper both ways

Bugs are much less expensive to find and fix during development

You avoid the potential attacks and user dissatisfaction